What Is Claimed Is: 



1 1 . In a multi-stage intrusion detection system, a method of detecting a 

2 plurality of intrusion attacks to a packet transmitted on a network, the intrusion attacks 

3 associated with a plurality of conditions, the method comprising: 

4 receiving the packet; 

5 determining at a first stage of the intrusion detection system whether a first 

6 condition assigned to the first stage is satisfied for the packet; 

7 determining at a second stage of the intrusion detection system whether a 

8 second condition assigned to the second stage is satisfied for the 

9 packet; and 

w determining that the packet corresponds to an intrusion attack when it is 

u determined that the first condition and the second condition are 

12 satisfied. 

/ 2. The method of claim 1 , wherein responsive to determining that the packet 

2 corresponds to an intrusion attack, the method further comprises taking an action for the 

3 intrusion attack. 

1 3. The method of claim 2, wherein the action comprises warning that the 

2 intrusion attack occurred. 
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1 4. The method of claim 1 , wherein determining at a first stage whether a first 

2 condition is satisfied comprises: 

3 responsive to the first condition being satisfied, adding an indication to the 

4 packet representing that the first condition is satisfied. 



; 5 . The method of claim 4, wherein determining that the packet corresponds 

2 to an intrusion attack comprises determining that the indication is added and that the 

3 second condition is satisfied. 

1 6. The method of claim 1 , wherein the network is the Internet and the packet 

2 is an IP packet. 

1 7. An intrusion detection system for detecting a plurality of intrusion attacks 

2 to a packet transmitted on a network, each intrusion attack associated with a plurality of 

3 conditions, each condition belonging to one of a first, second, third, fourth and fifth set of 

4 conditions, the intrusion detection system comprising: 

5 a generic extension builder for (i) receiving the packet, (ii) processing the 

6 first set of conditions on the packet to generate generic extensions, 

7 and (iii) outputting the packet along with the generic extensions 

8 added to the packet; 

P a session cache module coupled to the generic extension builder for (i) 

jo receiving the packet with the generic extension, (ii) processing the 

y } second set of conditions on the packet to generate session cache 

1 2 extensions, and (iii) outputting the packet along with the generic 

13 extensions and the session cache extensions added to the packet; 
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14 an application decode module coupled to the session cache module for (i) 

j 5 receiving the packet with the generic extensions and the session 

16 cache extensions, (ii) processing the third set of conditions on the 

17 packet to generate application decode extensions, and (iii) 

18 outputting the packet along with the generic extensions, the session 

19 cache extensions, and the application decode extensions added to 

20 the packet; 

2 1 a rule engine module coupled to the application decode module for (i) 

22 receiving the packet with the generic extensions, the session cache 

23 extensions, and the application decode extensions; (ii) processing 

24 the fourth set of conditions on the packet to generate rule engine 

25 extensions, and (iii) outputting the packet along with the generic 

26 extensions, the session cache extensions, the application decode 

27 extensions, and the rule engine extensions added to the packet; and 

28 an intrusion detection policy engine coupled to the rule engine module for 

29 (i) receiving the packet with the generic extensions, the session 

30 cache extensions, the application decode extensions, and the rule 

3 j engine extensions; (ii) processing the fifth set of conditions on the 

32 packet, (iii) determining whether all the conditions of an intrusion 

33 attack are satisfied based upon the generic extensions, the session 

34 cache extensions, the application decode extensions, the rule 

35 engine extensions, and the processed fifth set of conditions, (iv) 
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taking an action corresponding to the determined intrusion attack, 
and (v) outputting the packet. 

8. The intrusion detection system of claim 7, further comprising a policy 
manager controlling the application decode module, the rule engine module, and the 
intrusion detection policy engine, wherein: 

the application decode module receives application decode data from the 
policy manager for use in processing the third set of conditions on 
the packet; 

the rule engine module receives the fourth set of conditions from the 

policy manager; and 
the intrusion detection policy engine receives the fifth set of conditions 

from the policy manager. 

9. A multi-stage intrusion detection system for detecting a plurality of 
intrusion attacks to a packet transmitted on a network, each intrusion attack associated 
with a plurality of conditions, the multi-stage intrusion detection system comprising: 

a plurality of modules each corresponding to selected ones of the 
conditions and each determining whether the corresponding 
conditions are satisfied; and 

a policy manager controlling selected ones of the modules and providing 
information used in determining whether the corresponding 
conditions are satisfied to the selected ones of the modules, 
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wherein an intrusion attack is detected when all the conditions 

corresponding to the intrusion attack are determined to be satisfied 
by the respective modules. 

1 0. An intrusion detection system for detecting a plurality of intrusion attacks 
to a packet transmitted on a communication network, each intrusion attack associated 
with a rule having a plurality of conditions and an action to be taken when the intrusion 
attack is detected, the intrusion detection system comprising: 

a rule database storing the rules for each of the intrusion attacks; 
a policy compiler coupled to the rule database and converting the 

conditions in the rules to a rule tree, the rule tree including a 
plurality of condition node pairs each having an expression node 
and a value node, each condition node pair corresponding to one 
condition and coupled to another condition node pair via at least 
one branch to form a plurality of paths, such that traversing along 
one of the paths corresponds to determining the conditions of a 
rule associated with one of the intrusion attacks; and 
an intrusion detection policy agent coupled to the policy compiler for 
determining whether an intrusion attack occurred to the packet 
based upon the rule tree provided by the policy compiler. 

1 1 . The intrusion detection system of claim 1 0, wherein a user provides the 
rule database with the rules for the intrusion attacks. 
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12. The intrusion detection system of claim 1 0, wherein the network is the 
Internet and the rules for the intrusion attacks are provided to the rule database by a 
website storing the rules. 

13. The intrusion detection system of claim 10, wherein the policy compiler 
converts the conditions to the rule tree by grouping common conditions among the rules, 
each condition node pair in the tree corresponding to one of the common conditions or a 
non-common condition, and coupling a first condition node pair with a second condition 
node pair among the condition node pairs when both the first and second condition node 
pairs correspond to a same rule. 

14. The intrusion detection system of claim 10, wherein a user selects a 
number of rules among the rules stored in the rule database and provides the selection of 
the rules to the policy manager, and the policy manager converts the conditions in only 
the selected rules to the rule tree. 

1 5 . The intrusion detection system of claim 1 0, wherein the intrusion 
detection policy agent comprises a plurality of modules each corresponding to selected 
ones of the condition node pairs and each determining whether the conditions 
corresponding to the selected ones of the condition node pairs are satisfied, wherein an 
intrusion attack is detected when all the conditions corresponding to the intrusion attack 
are determined to be satisfied by the respective modules. 

1 6. The intrusion detection system of claim 15, further comprising a policy 
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manager controlling selected ones of the modules of the intrusion detection policy agent 
and providing information used for determining whether the conditions are satisfied to 
the selected ones of the modules. 

17. The intrusion detection system of claim 15, wherein the conditions belong 
to one of a first, second, third, fourth, and fifth set of conditions, and the plurality of 
modules comprise: 

a generic extension builder for (i) receiving the packet, (ii) processing the 
first set of conditions on the packet to generate generic extensions, 
and (iii) outputting the packet along with the generic extensions 
added to the packet; 
a session cache module coupled to the generic extension builder for (i) 

receiving the packet with the generic extensions, (ii) processing the 
second set of conditions on the packet to generate session cache 
extensions, and (iii) outputting the packet along with the generic 
extensions and the session cache extensions added to the packet; 
an application decode module coupled to the session cache module for (i) 
receiving the packet with the generic extensions and the session 
cache extensions, (ii) processing the third set of conditions on the 
packet to generate application decode extensions, and (iii) 
outputting the packet along with the generic extensions, the session 
cache extensions, and the application decode extensions added to 
the packet; 
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20 a rule engine module coupled to the application decode module for (i) 

21 receiving the packet with the generic extensions, the session cache 

22 extensions, and the application decode extensions; (ii) processing 

23 the fourth set of conditions on the packet to generate rule engine 

24 extensions, and (iii) outputting the packet along with the generic 

25 extensions, the session cache extensions, the application decode 

26 extensions, and the rule engine extensions added to the packet; and 

27 an intrusion detection policy engine coupled to the rule engine module for 

28 (i) receiving the packet with the generic extensions, the session 

jasssi 

D 29 cache extensions, the application decode extensions, and the rule 

01 30 engine extensions; (ii) processing the fifth set of conditions on the 

ni 

Jf? 31 packet, (iii) determining whether all the conditions of an intrusion 

m 

y" 32 attack are satisfied based upon the generic extensions, the session 

s 

y, 33 cache extensions, the application decode extensions, the rule 

SI 34 engine extensions, and the processed fifth set of conditions, (iv) 

IU 35 taking an action corresponding to the determined intrusion attack, 

36 and (v) outputting the packet. 

1 18. The intrusion detection system of claim 1 7, wherein the policy manager 

2 controls the application decode module, the rule engine module, and the intrusion 

3 detection policy engine, and wherein: 

4 the application decode module receives application decode data from the 

5 policy manager for use in processing the fifth set of conditions on 

6 the packet; 
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7 the rule engine module receives the fourth set of conditions from the 

8 policy manager; and 

9 the intrusion detection policy engine receives the fifth set of conditions 
w from the policy manager. 

; 1 9. A computer-readable medium storing a rule tree for use in an intrusion 



2 detection system for detecting a plurality of intrusion attacks to a packet transmitted on a 

3 network, each intrusion attack associated with a rule having a plurality of conditions and 

4 an action to be taken when the intrusion attack is detected, wherein the rule tree 

5 comprises a plurality of condition node pairs each having an expression node and a value 

6 node, each condition node pair corresponding to one condition and coupled to another 
jfg J 7 condition node pair via a branch to form a plurality of paths, such that traversing along 
ry 8 one of the paths corresponds to determining all the conditions of the rule associated with 

■arsS 

s 9 one of the intrusion attacks. 



H; i 20. The computer-readable medium of claim 19, wherein: 

JrJ 2 the rules include common conditions corresponding to more than one rule; 

3 at least one of the condition node pairs in the tree corresponds to one of 

4 the common conditions; and 

5 the condition node pairs are coupled to one another via branches when the 

6 coupled condition node pairs correspond to a same rule. 

l 21 . A multi-stage intrusion detection system for detecting a plurality of 



2 intrusion attacks to a packet transmitted on a network, the intrusion attacks associated 

3 with a plurality of conditions, the multi-stage intrusion detection system comprising: 
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a first stage receiving the packet and determining whether a first condition 
assigned to the first stage is satisfied for the packet; and 

a second stage determining whether a second condition assigned to the 
second stage is satisfied for the packet, 

wherein the multi-stage intrusion detection system determines that the 

packet corresponds to an intrusion attack when it is determined that 
the first condition and the second condition are satisfied, 

22. The multi-stage intrusion detection system of claim 21, wherein 
responsive to determining that the packet corresponds to an intrusion attack, the multi- 
stage intrusion detection system takes an action for the intrusion attack. 

23. The multi-stage intrusion detection system of claim 22, wherein the action 
comprises warning that the intrusion attack occurred. 

24. The multi-stage intrusion detection system of claim 2 1 , wherein 
responsive to the first condition being satisfied, the first stage adds an indication to the 
packet representing that the first condition is satisfied. 

25. The multi-stage intrusion detection system of claim 24, wherein the 
second stage determines that the packet corresponds to an intrusion attack by determining 
that the indication is added and that the second condition is satisfied. 

26. The multi-stage intrusion detection system of claim 2 1 , wherein the 
network is the Internet and the packet is an IP packet. 
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